Method and apparatus for processing administration of a secured community

ABSTRACT

A method and apparatus for processing administration in a secure community, or communication system, is accomplished by dividing the single computing devices functionality of the administrator/officer/server into physically separate computing devices that function as a serving entity and an administrative entity. In the secure system, when an administrative entity has an administrative function to perform for one of its end-users, it requests a permissions matrix from the serving entity. The serving entity, after authenticating the administrative entity, sends the permissions matrix to the requesting administrative entity in an encoded format. The permissions matrix indicates which administrative functions the requesting administrative entity is authorized to perform for its affiliated end-users. Upon receiving the permissions matrix, the administrative entity verifies the authenticity of the permissions matrix based on the encoded format. When the authenticity of the permissions matrix is verified, the administrative entity generates an administrative request based on an administrator&#39;s input and the permissions matrix and sends it to the serving entity over a secure communication link. Upon receiving the administrative request, the serving entity verifies the identity of the administrative entity, verifies validity of the request according to the permissions matrix, and, if verified, processes the administrative requests on behalf of the particular end-user.

TECHNICAL FIELD OF THE INVENTION

This invention relates generally to encryption more particularly to theadministration of certificate management within a secured communicationsystem.

BACKGROUND OF THE INVENTION

As is known, a secure communication system includes a plurality ofend-users (sometimes referred to as "clients"), and at least oneprocessor for each of a server/manager, an officer, and anadministrator. The administrator is affiliated with the end-users, orclients, and processes, signs, and/or encrypts certificates for suchend-users. For example, the administration processor processes theadding, deleting, updating, and preparing status reports of end-users'signature public key pairs and encryption public key pairs. As a furtherexample, when an end-user leaves the secured communication system, theadministrator, via an administration processor, disables the end-user'ssignature and deletes the encryption public key certificate from adirectory. The directory lists the public key certificates for eachend-user within the secured communication system. When an end-user isadded to the secured communication system, the administrator, via theadministration processor, supplies a request to the server that isrequesting the server enable the new end-user for certificatemanagement. When an end-user has lost access to his or her private keyhistory, the administrator, via the administration processor, requeststhat the server recover the end-user's key.

In the secure communication system, the administration processor, theofficer processor, and server are located within a single computingunit. Thus, any requests received by the server from the administrationprocessor can readily be authenticated because they are both part of thesame machine. Similarly, when the officer initiates policy changes, thepolicy changes can be securely conveyed to the administration processorand the server, again because they are in the same machine. While thisworks well in many applications, as secure communication systems grow innumber of end-users and locales, the task of managing the administrationprocessor and the officer processor exceeds the realistic capabilitiesof the single administrator/officer/server computing device. Thus,without developing a new secured communications system architecture thateliminates the single administrator/officer/server computing device,secured communication system growth is limited.

Therefore, a need exists for a method and apparatus for processingadministration of a secure community, or communications system, thatallows for expansion of the number of end-users and their locales.

BRIEF DESCRIPTION OF THE DRAWING

FIG. 1 illustrates a schematic block diagram of a secured communicationssystem in accordance with the present invention;

FIG. 2 illustrates a schematic block diagram of a serving entity andadministrative entity in accordance with the present invention;

FIG. 3 illustrates a logic diagram of a method for processingadministration of a secured communications system in accordance with thepresent invention;

FIG. 4 illustrates a logic diagram of a method for an administrativeentity to receive permissions matrix in accordance with the presentinvention; and

FIG. 5 illustrates a logic diagram of a method for processing aplurality of administrative requests in accordance with the presentinvention.

SUMMARY OF THE INVENTION

Generally, the present invention provides a method and apparatus forprocessing administration in a secure community, or communicationsystem. This is accomplished by dividing the single computing device'sfunctionality of the administrator/officer/server into physicallyseparate computing devices that function as a serving entity and anadministrative entity. Because the administrative entity and servingentity are separate computing devices, communication between the twoentities needs to be authenticated and the administrative functionstightly controlled. To this end, when an administrative entity has anadministrative function to perform for one of its end-users, it requestsa permissions matrix from the serving entity. The serving entity, afterauthenticating the administrative entity, sends the permissions matrixto the requesting administrative entity in an encoded format. Thepermissions matrix indicates which administrative functions therequesting administrative entity is authorized to perform for itsaffiliated end-users.

Upon receiving the permissions matrix, the administrative entityverifies the authenticity of the permissions matrix based on the encodedformat. For example, assume that the serving entity encoded thepermissions matrix using a public/private key encryption process andsignature public key certificate. To authenticate the permissionsmatrix, the administrative entity verifies that the signature public keycertificate is that of the serving entity. If so, the administrativeentity can trust that the permissions matrix came from the servingentity and is thus authenticated.

When the authenticity of the permissions matrix is verified, theadministrative entity generates an administrative request based on anadministrator's input and the permissions matrix. The administrator'sinput, which is done by an administrator on behalf of an end-useraffiliated with the administrative entity, indicates the particularadministration function to be processed for the end user. Theadministrative entity sends the administrative request to the servingentity over a secure communication link. Upon receiving theadministrative request, the serving entity verifies the identity of theadministrative entity. This is done using the signature of theadministrative entity. Once verified, the serving entity processes theadministrative requests on behalf of the particular end-user. With sucha method and apparatus, the serving entity and administrative entity aredivided into separate computing devices. The officer of previous systemshas been rolled into the administrative entity thus enabling selectedadministrative entities to establish the policy for the securedcommunication system. By having the administrative entity and servingentity being in physically separate computing devices, a securedcommunications system may grow in number of end-users and locales.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

The present invention can be more fully described with reference withFIGS. 1 through 5. FIG. 1 illustrates a schematic block diagram of asecured communications system (or community) 10 that includes a servingentity 12, a database 14, a plurality of administrative entities 16, 18,and a plurality of end-users 22-40. The serving entity 12 may be anindividual stand alone computing device that includes a microprocessor,microcontroller, digital signal processor, or any other device thatmanipulates digital information based on programming instructions, or aplurality of computing devices. Alternatively, the serving entity couldbe a plurality of computing devices that function as stand-alone devicesor that is networked together. In general, the serving entity 12functions as the key management server, wherein the serving entity 12includes Entrust/manager software, which is manufactured by EntrustTechnologies, Ltd.

The end-users 22-40 are stand-alone computing devices that are equippedwith encryption software such as the Entrust/Client softwaremanufactured and distributed by Entrust Technologies, Ltd. Theend-users, with the Entrust/Client software, are enabled to securelytransmit encrypted messages to each other using the public key of therecipient end-users. Note that the end-users are shown in three separategroups. The first group of end-users includes end-user 20 through 26,the second group includes end-user 28 through 34, and the third groupincludes end-user 36 through 40. The grouping of end-users is done forillustration purposes to demonstrate that end-users may be in physicallyseparate locales. For example, if the secured communications system 10is owned and operated by a large multi-national company, the first groupof end-users 20-26 may be located in one country, while the end-users inthe other two groups may be located in different countries.

As shown, the administrative entity 16 is affiliated with end-users20-26 and administrative entity 18 is affiliated with end-users 28-34.Each of these administrative entities 16 and 18 performs certificateadministrative functions for their local end-user groups. Suchadministrative functions include key recovery, key addition, keydeletion, policy change, change of an end-user attributes, change of theadministrative entities attributes, and authority to change otheradministrative entities attributes and permissions. These administrativefunctions are shown in the permissions matrix 42. Note that one or bothof the administrative entities 16 and 18 will process certificateadministrative functions for the group of end-user 36-40.

The permissions matrix 42 includes a field for administrative functions,an allowed field and a number of authorities field. The allowed fieldprovides an indication as to whether the administrative entity isallowed to perform the corresponding administrative functions. Thenumber of authorities field provides an indication as to the number ofadministrative entities that must authorize, or sign, the correspondingadministrative function before the serving entity will execute it. Theillustrated permissions matrix 42 includes the administrative functionsof: key recovery, key addition, key deletion, policy change, changeend-user attributes, change administrative entity attributes, authorityto change other administrative entities attributes and permissions. Ofthe administrative functions, the corresponding administrative entity isallowed to perform all of the functions except policy change andchanging other administrative entities' attributes and permissions. Forthe functions that this administrative entity is allowed to perform, allbut the change attributes of the administrative entity (i.e., change itsown attributes) can be done with a single administrative entityauthorization.

As mentioned, the administrative functions of the permissions matrix 42include, but is not limited to: key recovery, key addition, keydeletion, policy change, change end-user attributes, changeadministrative entity attributes, authority to change otheradministrative entities attributes and permissions. Key recovery is anadministrative function that enables the administrative entity torequest, on behalf of an end-user that has lost his or her private key,to recover the private key from the serving entity. Key addition and keydeletion allow the administrative entity to add or delete end-users totheir affiliated group by requesting of the serving entity that publickey pairs are either added or deleted for a particular end-user. Thesecured policy change enables a selected administrative entity todetermine which administrative entities will service which group ofend-users, establish default security parameters for the securedcommunications system and other officer related functions. Changing theattributes of an end-user allows an administrative entity to establishthe end-users certificate parameters such as public keys, level ofsecured access, etc. Changing the attributes of another administrativeentity allows a selected administrative entity to determine whichadministrative functions a particular administrative entity isauthorized to perform. Changing the administrator's own attributesallows the administrator to select which administrative functions itchooses to perform for its associated end-users.

In operation, the administrative entity 16, 18 provides a request to theserving entity 12. The request may be a permission request 44 or anadministrative function request 46. A permission request 44 includes anidentification code of the administrative entity and a request for acopy of the permissions matrix 42. In general, the administrative entity16 or 18 only stores the permissions matrix 42 for a short inactiveduration (E.g., thirty minutes or less). Thus, as long as theadministrative entity is processing administrative functions for itsend-users more often that once every half hour, it will retain a copy ofthe permissions matrix 42.

Upon receiving the permission request 44, the serving entity 12 verifiesthe identity of the administrative entity 16, 18 based on the identityof the administrative entity. In addition, the serving entity 12 mayfurther verify the authenticity of the request when the request includesa signature of the administrative entity. If the administrative entityis authenticated, the serving entity 12 provides an encoded copy of thepermissions matrix to the requesting administrative entity. The encodedpermissions matrix message 48 includes the identity of theadministrative entity, an encoded copy of the permissions matrix, andthe signature of the serving entity 12.

When the administrative entity 16, 18 receives the encoded permissionsmatrix message 48, it authenticates the signature of the serving entity.To authenticate the signature, the administrative entity uses a trustedpublic key of the serving entity. If the signature verification process,which is included in Entrust/Client software, confirms that thesignature corresponds with the trusted key, the signature isauthenticated and the administrative entity can trust that thepermissions matrix came from the serving entity. Once the administrativeentity 16, 18 has verified the authenticity of the signature, it storesthe permissions matrix 42 such that it may utilize it to processadministrative functions on behalf of its associated end-users.

The administrative entities may also transmit an administrative request46 to the serving entity 12. The administrative request 46 includes theidentity of the administrative entity, which may be an identificationcode, or some other unique identification means, and the particularadministrative request. Typically, the administrative request will bebased on the administrative entity's current copy of the permissionsmatrix 42. As such, the administrative entity will only request aservice that it believes it is authorized to perform on behalf of itsend-users.

The serving entity 12 upon receiving the administrative request 46,verifies the identity of the administrative entity and whether therequested administrative function is consistent with the permissionsmatrix 42 maintained by the serving entity 12 for the requestingadministrative entity. If so, the serving entity 12 provides a message50 to the requesting administrative entity. The message 50 includes theidentity of the administrative entity and the particular processrequests. For example, if the administrative request were for theaddition of a public key pair for a new end-user, the processed requestwould include the public key pair for the new end-user.

By including the permissions matrix 42 in the secure communicationsystem 10, administrative entities may be assigned the tasks of anofficer wherein the assigned administrative entity performs policychanges for the overall communications system 10. The permissions matrixfurther allows the scaling of responsibilities of the administrativeentities. For example, one administrative entity may be allowed toperform only key recovery, key addition and key deletion while anothermay be allowed to perform every administrative function for thecommunications system 10.

FIG. 2 illustrates a schematic block diagram of the serving entity 12and the administrative entity 16, 18. The serving entity 12 is shown toinclude a processing unit 60 and memory 62. The processing unit 60 maybe a microprocessor, a microcontroller, a digital signal processor, acentral processing unit, or any other device that manipulates digitalinformation based on programming instructions. The memory 62 may beread-only memory, RAM, floppy disk memory, hard drive memory, CD-ROM,DVD memory, magnetic tape, or any other means for storing digitalinformation.

The memory 62 stores programming instructions, which when read by theprocessing unit 60, causes the processing unit to function as variouscircuits. When executing the programming instructions, the processingunit 60 functions as a circuit 64 to receive administrative and/orpermission requests. Upon receiving the requests. the processing unit 60functions as a circuit 66 to verify the identity of the administrativeentity. The circuit 66 also determines whether the request is anadministrative request or a permission request. Next, the processingunit 60 functions as a circuit 68 to determine whether theadministrative request is consistent with the permissions matrix. Next,the processing unit 60 functions as a circuit 70 to process theadministrative requests or the permission request. A more detaileddiscussion of the functionality of the processing unit 60 whileperforming the programming instructions stored in memory 62 will bediscussed below with reference to FIGS. 3 through 5.

The administrative entity 16 and 18 each includes a processing unit 72and memory 74. The processing unit 72 may be a microprocessor, amicrocontroller, a digital signal processor, a central processing unitor any other device that manipulates digital information based onprogramming instructions. The memory may be read-only memory, RAM,floppy disk memory, hard drive memory, magnetic tape memory, DVD memory,CD memory, or any other means for storing digital information.

The memory 74 stores programming instructions that, when read by theprocessing unit 72, causes the processing unit 72 to function as aplurality of circuits. When reading the program instructions, theprocessing unit 72 functions as a circuit 74 to obtain a permissionsmatrix. Next, while continuing to read the programming instructions, theprocessing unit functions as a circuit 76 to verify authenticity of thepermissions matrix. The processing unit then functions as a circuit 78to generate an administrative request. Finally, the processing unitfunctions as a circuit 80 to provide the administrative request to theserving entity 80. The functionality of the processing unit 72 whileperforming the programming instructions stored in memory 74 will bediscussed in greater detail with reference to FIGS. 3 to 5.

FIG. 3 illustrates a logic diagram of a method for processingadministrative functions in a secured communications system. The processbegins at step 90 where an administrative entity obtains a permissionsmatrix from a serving entity, where the permissions matrix may bereceived from a single server, or from one of a plurality of servers.Note that the serving entity 12 of FIG. I may be a single computingdevice, a plurality of distributed computing devices, or one of many ofa plurality of computing devices functioning as the server for thesecured communications system. The permissions matrix includes a list ofadministrative functions that the administrative entity is authorized toprocess. This was discussed with reference to the permissions matrix 42of FIG. 1.

The process then proceeds to step 92 where the administrative entityverifies the authenticity of the permissions matrix, which is done byverifying the signature of the serving entity attached to thepermissions matrix message. The process then proceeds to step 94 where adetermination is made as to whether the permissions matrix wasauthenticated or not. If not, the process is complete for thisparticular request. If, however, the authenticity of the permissionsmatrix was verified, the process proceeds to step 96. At step 96, theadministrative entity generates an administrative request based on anadministrative input and the permissions matrix. The administrativeentity, which is a computing device, will utilize the permissions matrixto generate a graphical user interface for valid administrative optionsto present to an administrator. The administrator selects one or more ofthe valid administrative options. The administrative entity uses theselected administrative options (as administrator inputs) to generatethe administrative request.

The process then proceeds to step 98 where the administrative entityprovides the administrative request to the serving entity over a securedtransmission link. Such a secured transmission link may be done via anon-line communication path or via a store and forward communicationpath. The process then proceeds to step 100 where the serving entityverifies identification of the administrative entity. This is done byverifying the identification code of the particular administrativeentity and may further be done by verifying the signature of theadministrative request message.

The process proceeds to step 102 where a determination is made as towhether the identity of the administrative identity was verified. Ifnot, the process is complete for this particular request. If, however,the identity of the administrative entity was verified, the processproceeds to step 104. At step 104, a determination is made as to whetherthe administrative request is consistent with the permissions matrixstored by the serving entity 12. Recall that an administrative entitywill use its local temporary copy of its permissions matrix to generatethe administrative request. If, during the time the administrativeentity stored its temporary copy of the permissions matrix and therequest is made, the permissions matrix stored by the serving entity,the request would be inconsistent with the permissions matrix. If therequest is not consistent with the permissions matrix, the processproceeds to step 106 where the administrative request is denied. Inaddition, the serving entity may provide the administrative entity withan updated permissions matrix. The serving entity would recognize theneed for the administrative entity to receive an updated permissionsmatrix based on the fact that the administrative entity requested aservice that it was not allowed to perform.

If the administrative request is consistent with the permissions matrix,the process proceeds to step 108. At step 108, the serving entityprocesses the administrative requests. The processed request is thenprovided either to the administrative entity that initiated the request,or directly to the end-user. Typically, however, the processed requestwill be provided to the administrative entity, which will subsequentlyprovide the information to the end-user.

FIG. 4 illustrates a logic diagram of a method for an administrativeentity to receive a valid permissions matrix. The process begins at step110 where the administrative entity provides a permission request to theserving entity. The process then proceeds to step 112 where the servingentity determines a permissions matrix for the administrative entity.Recall that at least one of the administrative entities will haveauthority to determine the administrative functions that otheradministrative entities will be allowed to perform. Based on the inputsfrom the selected administrative entity, the serving entity generatesunique permissions matrix for each administrative entity in the system.Having determined the permissions matrix, the process proceeds to step114 where the serving entity provides the permissions matrix to theadministrative entity in an encoded format. The encoded format may bebased on a public/private key encryption technique and include thesignature public key of the serving entity.

Upon receiving the encoded permissions matrix, the administrative entityverifies the signature of the serving entity. The process then proceedsto step 118 where a determination is made as to whether the signature ofthe serving entity was verified. If not, the process proceeds to step120 where the permissions matrix cannot be trusted. As such, theadministrative entity does not retain the permissions matrix and wouldneed to re-request the permissions matrix. If, however, the signature isverified, the process proceeds to step 122. At step 122, theadministrative entity decrypts the permissions matrix using its privatekey. The administrative entity would then store the decryptedpermissions matrix and be ready to process an administrative function.

FIG. 5 illustrates a logic diagram of a method for processing aplurality of administrative requests from one or more administrativeentities. The process begins at step 130 where at least oneadministrative entity provides a plurality of administrative requests tothe serving entity. The plurality of requests may be from oneadministrative entity, from a plurality of administrative entities whereeach entity is providing one request, or from a plurality ofadministrative entities where each entity is providing several requests.The process then proceeds to step 132 where the serving entity verifiesthe identity of each administrative entity for each of the plurality ofrequests. The process then proceeds to step 134 where a determination ismade as to whether, on a request by request basis, the identity of theadministrative entity was verified. If not, the process is complete forthis particular request.

For each request that the identity of the administrative entity wasverified, the process proceeds to step 136 where a determination is madeas to whether another administrative signature is required before theserving entity will process the request. If not, the process proceeds tostep 138 where the serving entity processes each of the requests in anasynchronous manner. The asynchronous manner allows the server tocomplete each request as soon as the data is available and not have towait until an earlier request is completed. As one can imagine, thisimproves the efficiency of the serving entity over a serial processingapproach. If, however, another signature is required, the processproceeds to step 140 where a determination is made as the whether thesignature has been received. If not, the process waits, for thisparticular request, until the signature is received. Once the signatureis received, the process proceeds to step 138.

The preceding discussion has presented a method and apparatus fordistributing the administrative and officer functions of a securecommunication system or secure community. These functions aredistributed to administrative entities that are located throughout thesystem. In order to ensure the security of the system, a serving entitymaintains permission matrix for each of the administrative entities inthe system. Administrative entities are only provided, in an encodedformat, with a copy of their permissions matrix after their identity hasbeen verified. As such, security is maintained and the growth of asecure system is no longer limited by the singleadministrator/officer/server device.

What is claimed:
 1. A method for processing administration of a securecommunity, the method comprises the steps of:a) obtaining, by anadministrative entity, a permissions matrix in an encoded format from aserving entity of the secure community; b) upon receiving thepermissions matrix, verifying, by the administrative entity,authenticity of the permissions matrix based on the encoded format; c)when the authenticity of the permissions matrix is verified, generating,by the administrative entity, an administrative request based on anadministrator's input and the permissions matrix, wherein theadministrative request includes identity of the administrative entity;d) providing, by the administrative entity, the administrative requestto the serving entity over a secured link; e) verifying, by the servingentity, identity of the administrative entity; and f) when the identityof the administrative entity is verified and when the administrativerequest is consistent with the permissions matrix, processing, by theserving entity, the administrative request.
 2. The method of claim 1further comprises, within step (a), obtaining the permissions matrixfrom a single server or from one of a plurality of servers.
 3. Themethod of claim 1 further comprises, within step (a), obtaining thepermissions matrix that includes a list of administrator functions thatthe administrative entity is authorized to process.
 4. The method ofclaim 3 further comprises including, as the administrator functions, atleast one of: key recovery, key addition, key deletion, change of securecommunity policy, change of end-user attributes, change ofadministrative entity attributes, authority to change other entitiesattributes and permissions.
 5. The method of claim 1 further comprises,within step (a),from time to time, providing, by the administrativeentity, a permission request to the serving entity of the securecommunity, wherein the permission request includes an identity of theadministrative entity and a request to receive the permissions matrix;determining, by the serving entity, the permissions matrix for theadministrative entity; and providing, by the serving entity, thepermissions matrix in an encoded format to the remote administrativeentity.
 6. The method of claim 5 further comprises:encoding thepermissions matrix using a public key of the administrative entity toproduce an encrypted permissions matrix; and signing the encryptedpermissions matrix by the serving entity.
 7. The method of claim 6further comprises:upon receipt of the encrypted permissions matrix andthe signature of the serving entity, verifying authenticity of thesignature of serving entity; and when the signature has beenauthenticated, decrypting the encrypted permissions matrix using aprivate key of the administrative entity.
 8. The method of claim 1further comprises, within step (c), generating, by the administrativeentity, graphical user interface for valid administrative options basedon the permissions matrix.
 9. The method of claim 1 further comprises,within step (d) providing the administrative request over a secureon-line communication path or a secure store-and-forward communicationpath.
 10. The method of claim 1 further comprises, within steps(d)-(f):providing, by the administrative entity, a plurality ofadministrative requests; verifying, by the serving entity, identity ofthe administrative entity for each of the plurality of administrativerequests to produce verified administrative requests; and processing, bythe serving entity, each of the verified administrative requests in anasynchronous manner.
 11. The method of claim 1 further comprises, withinsteps (d)-(f),providing a plurality of administrative requests by aplurality of administrative entities; verifying, by the serving entity,identity of each of the plurality of administrative entities; verifying,by the serving entity, whether each of the plurality of administrativeentities is authorized to access a corresponding one of the of theplurality of administrative requests based on the permissions matrix ofeach of the plurality of administrative entities; and processing thecorresponding ones of the plurality of administrative requests for eachof the plurality of administrative entities that is authorized to accessthe corresponding one of the plurality of administrative requests. 12.The method of claim 11 further comprises, when access to a correspondingone of the plurality of administrative requests is not authorizedbecause a signature of another one of the plurality of administrativeentities is lacking, queuing the corresponding one of the plurality ofadministrative requests until the signature is received or a subsequentone of the plurality of administrative requests that completes thecorresponding one of the plurality of administrative requests isreceived.
 13. A method for an administrative entity to facilitateprocessing administration of a secure community, the method comprisesthe steps of:a) obtaining a permissions matrix in an encoded format froma serving entity of the secure community; b) upon receiving thepermissions matrix, verifying authenticity of the permissions matrixbased on the encoded format; c) when the authenticity of the permissionsmatrix is verified, generating an administrative request based on anadministrator's input and the permissions matrix, wherein theadministrative request includes identity of the administrative entity;and d) providing the administrative request to the serving entity over asecured link.
 14. The method of claim 13 further comprises, within step(a), obtaining the permissions matrix that includes a list ofadministrator functions that the administrative entity is authorized toprocess.
 15. The method of claim 14 further comprises including, as theadministrator functions, at least one of: key recovery, key addition,key deletion, change of secure community policy, change of end-userattributes, change of administrative entity attributes, authority tochange other entities attributes and permissions.
 16. The method ofclaim 13 further comprises, within step (a), from time to time,providing a permission request to the serving entity of the securecommunity, wherein the permission request includes an identity of theadministrative entity and a request to receive the permissions matrix.17. A method for a serving entity to facilitate processingadministration of a secure community, the method comprises the stepsof:a) receiving an administrative request from an administrative entityover a secured link; b) verifying identity of the administrative entity;c) determining whether the administrative request is consistent with apermissions matrix of the administrative entity; and d) when theidentity of the administrative entity is verified and when theadministrative request is consistent with a permissions matrix,processing the administrative request.
 18. The method of claim 17further comprises:from time to time, receiving, from the administrativeentity, a permission request that includes an identity of theadministrative entity and a request to receive the permissions matrix;determining the permissions matrix for the administrative entity; andproviding the permissions matrix in an encoded format to the remoteadministrative entity.
 19. The method of claim 18 furthercomprises:encoding the permissions matrix using a public key of theadministrative entity to produce an encrypted permissions matrix; andsigning the encrypted permissions matrix.
 20. A server entitycomprising:a processing unit; and memory operably coupled to theprocessing unit, wherein the memory stores programming instructionsthat, when read by the processing unit, causes the processing unit to(a) receive an administrative request from an administrative entity overa secured link; (b) verify identity of the administrative entity; (c)determine whether the administrative request is consistent with apermissions matrix of the administrative entity; and (d) process theadministrative request when the identity of the administrative entity isverified and when the administrative request is consistent with apermissions matrix.
 21. The serving entity of claim 20 furthercomprises, within the memory, programming instructions that, when readby the processing unit causes the processing unit to, from time to time,receive, from the administrative entity, a permission request thatincludes an identity of the administrative entity and a request toreceive the permissions matrix; determine the permissions matrix for theadministrative entity; and provide the permissions matrix in an encodedformat to the remote administrative entity.
 22. The serving entity ofclaim 21 further comprises, within the memory, programming instructionsthat, when read by the processing unit causes the processing unit toencode the permissions matrix using a public key of the administrativeentity to produce an encrypted permissions matrix; and sign theencrypted permissions matrix.
 23. An administrative entity comprises:aprocessing unit; and memory operably coupled to the processing unit,wherein the memory stores programming instructions that, when read bythe processing unit, causes the processing unit to (a) obtain apermissions matrix in an encoded format from a serving entity of thesecure community; (b) upon receiving the permissions matrix, verifyingauthenticity of the permissions matrix based on the encoded format; (c)generate an administrative request based on an administrator's input andthe permissions matrix when the authenticity of the permissions matrixis verified, wherein the administrative request includes identity of theadministrative entity; and (d) provide the administrative request to theserving entity over a secured link.
 24. The administrative entity ofclaim 23 further comprises, within the memory, programming instructionsthat, when read by the processing unit causes the processing unit toobtain the permissions matrix that includes a list of administratorfunctions that the administrative entity is authorized to process. 25.The administrative entity of claim 24 further comprises, within thememory, programming instructions that, when read by the processing unitcauses the processing unit to include, as the administrator functions,at least one of: key recovery, key addition, key deletion, change ofsecure community policy, change of end-user attributes, change ofadministrative entity attributes, authority to change other entitiesattributes and permissions.
 26. The administrative entity of claim 23further comprises, within the memory, programming instructions that,when read by the processing unit causes the processing unit to provide,from time to time, a permission request to the serving entity of thesecure community, wherein the permission request includes an identity ofthe administrative entity and a request to receive the permissionsmatrix.
 27. A digital storage medium for storing programminginstructions that, when read by a processing unit, causes the processingunit to facilitate processing administration of a secure community, thedigital storage medium comprises:first means for storing programminginstructions that, when read by the processing unit, causes theprocessing unit to receive an administrative request from anadministrative entity over a secured link; second means for storingprogramming instructions that, when read by the processing unit, causesthe processing unit to verify identity of the administrative entity;third means for storing programming instructions that, when read by theprocessing unit, causes the processing unit to determine whether theadministrative request is consistent with a permissions matrix of theadministrative entity; and fourth means for storing programminginstructions that, when read by the processing unit, causes theprocessing unit to process the administrative request when the identityof the administrative entity is verified and when the administrativerequest is consistent with a permissions matrix.
 28. The digital storagemedium of claim 27 further comprises means for storing programminginstructions that, when read by the processing unit causes theprocessing unit to receive from the administrative entity a permissionrequest that includes an identity of the administrative entity and arequest to receive the permissions matrix; determine the permissionsmatrix for the administrative entity; and provide the permissions matrixin an encoded format to the remote administrative entity.
 29. Thedigital storage medium of claim 28 further comprises storage means forstoring programming instructions that, when read by the processing unitcauses the processing unit to encode the permissions matrix using apublic key of the administrative entity to produce an encryptedpermissions matrix; and sign the encrypted permissions matrix.
 30. Adigital storage medium for storing programming instructions that, whenread by a processing unit, causes the processing unit to facilitateprocessing administration of a secure community, the digital storagemedium comprises:first means for storing programming instructions that,when read by the processing unit, causes the processing unit to obtain apermissions matrix in an encoded format from a serving entity of thesecure community; second means for storing programming instructionsthat, when read by the processing unit, causes the processing unit toupon receiving the permissions matrix, verifying authenticity of thepermissions matrix based on the encoded format; third means for storingprogramming instructions that, when read by the processing unit, causesthe processing unit to generate an administrative request based on anadministrator's input and the permissions matrix when the authenticityof the permissions matrix is verified, wherein the administrativerequest includes identity of the administrative entity; and fourth meansfor storing programming instructions that, when read by the processingunit, causes the processing unit to provide the administrative requestto the serving entity over a secured link.
 31. The digital storagemedium of claim 30 further comprises means for storing programminginstructions that, when read by the processing unit causes theprocessing unit to obtain the permissions matrix that includes a list ofadministrator functions that the administrative entity is authorized toprocess.
 32. The digital storage medium of claim 31 further comprisesstorage means for storing programming instructions that, when read bythe processing unit causes the processing unit to include, as theadministrator functions, at least one of: key recovery, key addition,key deletion, change of secure community policy, change of end-userattributes, change of administrative entity attributes, authority tochange other entities attributes and permissions.
 33. The digitalstorage medium of claim 30 further comprises means for storingprogramming instructions that, when read by the processing unit causesthe processing unit to provide, from time to time, a permission requestto the serving entity of the secure community, wherein the permissionrequest includes an identity of the administrative entity and a requestto receive the permissions matrix.